ASIC releases digital advice guidance

RG 255 does not differ greatly from the draft regulatory guide issued by ASIC in March 2016, with its Consultation Paper 254.

RG 255 includes the following measures and guidance proposed in ASIC’s Consultation Paper 254:

Guidance on AFS licensing (and authorisation) arrangements for digital advice providers. This includes a requirement that a digital advice licensee has at least one responsible manager who meets the minimum training and competence standards applicable to human advisers, to satisfy the organisational competence obligation (subject to a six-month transition period for existing licensees). It also includes guidance on the following other relevant general AFS obligations:

having adequate human and technological resources (including measures for choosing and monitoring outsourced service providers);

having adequate risk management systems (including monitoring and testing algorithms underpinning the provision of digital advice, and addressing cyber risks and information security). As ASIC indicated in its consultation paper, self-certification and independent third party monitoring is not required; and

having adequate compensation arrangements.

Guidance on providing scaled personal advice that is in the best interests of clients and meets related obligations (such as the obligation to provide appropriate advice and warn clients if advice is based on incomplete or inaccurate information). This includes reviewing a sample of digital advice on an ongoing basis (and more frequently for new advice tools or changed algorithms).

RG 255 also includes the following additional or revised guidance:

While RG 255 is primarily for those providing or wanting to provide digital advice, ASIC is now also encouraging businesses that provide associated services (for example, technology or compliance services) to consider it.

The ways in which licensees should monitor and test has been modified to reflect that:

records of changes to algorithms (over seven years) can be kept in different ways (for example, by storing different versions of an algorithm electronically);

controls and processes for suspending the provision of digital advice if an error within an algorithm is detected are required where the error has or is likely to result in client loss and/or breach of the Corporations Act. This seems to reflect, more broadly, a recognition by ASIC that algorithm errors don’t necessarily cause client loss or a breach of the law. However ASIC reiterates that advice should not be provided to clients until an error is rectified and recipients of inappropriate advice should be identified and contacted as part of any rectification process; and

digital advice providers are expected to have appropriate internal sign off processes in place.

ASIC draws attention to its Report 468 Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd (REP 468) as a source of examples of emerging good practices implemented to deal with cyber risks in the wider financial services sector.

Any communications to clients (via digital means) about the limited nature of scaled digital advice should be monitored on an ongoing basis so that ‘information is presented in a way that facilitates client engagement and understanding’. This is an extension of ASIC’s expectation that providers consider how information is likely to be interpreted when accessed via different electronic devices.

ASIC acknowledges that ‘triage’ or filtering processes may take place in different ways including by offering a digital advice tool to clients that have certain characteristics only, or filtering at key points during the digital advice process.

ASIC thinks it is good practice that providers confirm with a client that all of their relevant circumstances are up to date and accurate, and the client is ready to proceed with receiving advice, before finalising the digital advice and generating an SOA.

The most significant difference between RG 255 and ASIC’s earlier draft is that RG 255 contains a number of very detailed examples (see Examples 5, 6 and 7) relating to the provision of digital scaled advice to illustrate:

adherence to the ‘best interests’ obligation;

how potential clients can be ‘triaged’ or filtered so that they are not provided with inappropriate advice, including by using a combined (or hybrid) model where the digital advice tool refers clients with complex circumstances to a human adviser;

how strategic advice can be given digitally; and

how providers can determine that a client has finished inputting their data into a digital advice tool (and, consequently, when an SOA should be generated).